[Bug 602689] Re: Segmentation fault in libapache2-mod-php5 when calling methods

Kurt Huwig 602689 at bugs.launchpad.net
Tue Sep 14 14:36:07 BST 2010


The bug happens in this line:

        if (--(*op_array->refcount)>0) {
                return;
        }

of destroy_op_array, when the code tries to read the refcount, according
to the disassembler:


Dump of assembler code for function destroy_op_array:
   0x00007f6c321e2080 <+0>:     push   %r13
   0x00007f6c321e2082 <+2>:     push   %r12
   0x00007f6c321e2084 <+4>:     push   %rbp
   0x00007f6c321e2085 <+5>:     push   %rbx
   0x00007f6c321e2086 <+6>:     mov    %rdi,%rbx
   0x00007f6c321e2089 <+9>:     sub    $0x8,%rsp
   0x00007f6c321e208d <+13>:    mov    0x48(%rdi),%rbp
   0x00007f6c321e2091 <+17>:    mov    0x50(%rdi),%r13d
   0x00007f6c321e2095 <+21>:    mov    0x90(%rdi),%rdi
   0x00007f6c321e209c <+28>:    test   %rdi,%rdi
   0x00007f6c321e209f <+31>:    je     0x7f6c321e20b2 <destroy_op_array+50>
   0x00007f6c321e20a1 <+33>:    callq  0x7f6c321f6940 <zend_hash_destroy>
   0x00007f6c321e20a6 <+38>:    mov    0x90(%rbx),%rdi
   0x00007f6c321e20ad <+45>:    callq  0x7f6c321ccc80 <_efree>
   0x00007f6c321e20b2 <+50>:    mov    0x40(%rbx),%rdx
=> 0x00007f6c321e20b6 <+54>:    mov    (%rdx),%eax
   0x00007f6c321e20b8 <+56>:    sub    $0x1,%eax
   0x00007f6c321e20bb <+59>:    test   %eax,%eax
   0x00007f6c321e20bd <+61>:    mov    %eax,(%rdx)
   0x00007f6c321e20bf <+63>:    je     0x7f6c321e20d0 <destroy_op_array+80>

The pointer look bad, as rdx points to 0x7f6c28390138:

(gdb) info registers
rax            0x7f6c321e2270   140102674031216
rbx            0x7f6c36d2a7b0   140102752970672
rcx            0x201f0  131568
rdx            0x7f6c28390138   140102508020024
rsi            0x0      0
rdi            0x0      0
rbp            0x7f6c28390140   0x7f6c28390140
rsp            0x7fff2f1ae250   0x7fff2f1ae250
r8             0x7f6c36583290   140102744945296
r9             0xc08e69804da8f602       -4571600571954825726
r10            0x7f6c3691aad0   140102748711632
r11            0x7f6c365f2c20   140102745402400
r12            0x7f6c36d6bc00   140102753238016
r13            0xd42    3394
r14            0x7fff2f1aebf8   140733983681528
r15            0x113e0  70624
rip            0x7f6c321e20b6   0x7f6c321e20b6 <destroy_op_array+54>
eflags         0x246    [ PF ZF IF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

and this location is not memory mapped:

(gdb) x 0x7f6c28390138
0x7f6c28390138: Cannot access memory at address 0x7f6c28390138

The bug does not happen with the php-cli, but with apache-php.

-- 
Segmentation fault in libapache2-mod-php5 when calling methods
https://bugs.launchpad.net/bugs/602689
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in ubuntu.



More information about the Ubuntu-server-bugs mailing list